[00:00.000 --> 00:01.660]  Thank you for joining my talk.
[00:02.660 --> 00:04.400]  I guess some of you are having night time
[00:04.400 --> 00:06.560]  and some of you are having day time,
[00:06.560 --> 00:09.520]  but again, thank you for joining in.
[00:10.040 --> 00:12.360]  I would like to thank the DEF CON Red Team Village
[00:12.360 --> 00:16.280]  for providing me the opportunity to speak on the subject,
[00:16.280 --> 00:18.720]  which is from discovery to disclosure.
[00:22.510 --> 00:24.370]  So I do the cybersecurity stuff
[00:24.370 --> 00:27.190]  for a financial institution here in Pakistan.
[00:27.530 --> 00:31.930]  And when I'm done with my official responsibilities,
[00:31.930 --> 00:36.110]  I do the security researching, which is one of my hobby.
[00:36.750 --> 00:39.450]  Before the information security career,
[00:39.450 --> 00:42.010]  I used to develop mobile applications,
[00:42.010 --> 00:44.330]  web applications, and vice versa.
[00:45.790 --> 00:48.770]  Mobile applications and IoT industry
[00:48.770 --> 00:50.390]  have been really fascinating
[00:51.070 --> 00:53.890]  and I look forward to learn more about them
[00:54.410 --> 00:57.790]  as they are one of the growing industries.
[00:57.790 --> 01:01.870]  And with the stuff that is growing,
[01:01.870 --> 01:06.450]  it also has vulnerabilities or bugs or risk around it.
[01:08.790 --> 01:12.010]  Today, my focus of talk would be Android application
[01:12.770 --> 01:14.690]  and their controls.
[01:15.510 --> 01:17.770]  Why Android applications?
[01:17.770 --> 01:20.250]  Because commonly used by the people around
[01:21.030 --> 01:22.990]  for the ease of access.
[01:23.130 --> 01:26.750]  So when you are developing mobile applications,
[01:26.750 --> 01:29.590]  let's say an iOS or an Android,
[01:29.590 --> 01:31.530]  you are required to integrate API
[01:32.410 --> 01:35.250]  because that helps you to fetch the dynamic data
[01:35.250 --> 01:38.730]  or the data that is stored in the database.
[01:38.730 --> 01:40.770]  So with the help of API,
[01:40.770 --> 01:43.270]  which is actually a bridge between a database
[01:44.070 --> 01:45.510]  and an application,
[01:45.510 --> 01:47.870]  you are able to perform your operations
[01:48.670 --> 01:50.730]  more smoothly and easily.
[01:52.710 --> 01:55.730]  Let's talk about some mobile application security breaches
[01:55.730 --> 01:58.370]  that happened earlier.
[01:58.770 --> 02:03.010]  One of them was Zigna that faced a data breach
[02:03.010 --> 02:06.110]  for around 200 million customers.
[02:07.290 --> 02:11.010]  The British Airways recently, a year back,
[02:11.010 --> 02:16.710]  faced a huge fine due to the data breach.
[02:17.190 --> 02:21.550]  And there was this health application
[02:22.170 --> 02:25.650]  which used to suggest the weight
[02:26.910 --> 02:30.050]  or the calories you were taking in.
[02:30.050 --> 02:36.910]  So let's say you need to record the calories
[02:36.910 --> 02:40.110]  you have taken in for the dinner or for the lunch.
[02:40.110 --> 02:45.470]  It would predict the weight for you.
[02:45.470 --> 02:47.690]  So you can maintain it more easily.
[02:48.430 --> 02:54.990]  And in the data breach, 150 million accounts were affected
[02:56.010 --> 02:58.030]  and the data is still out there.
[03:00.570 --> 03:03.750]  This year, there was a security misconfiguration
[03:03.750 --> 03:05.630]  in Firebase databases,
[03:05.630 --> 03:08.930]  which allowed the malicious actors or the users
[03:09.870 --> 03:13.810]  that could pass a specific and a simple parameter
[03:13.810 --> 03:18.730]  would allow them to look into the whole database
[03:18.730 --> 03:21.590]  or the whole data into the database.
[03:25.300 --> 03:27.280]  With the passage of time,
[03:27.280 --> 03:29.520]  the vulnerabilities of Android applications
[03:29.520 --> 03:33.180]  or the Android have been increasing year by year.
[03:33.180 --> 03:38.280]  So let's say in 2009, we had five vulnerabilities.
[03:38.280 --> 03:42.680]  And when we see 2016 and onwards,
[03:42.680 --> 03:44.940]  we have a large amount of vulnerabilities
[03:45.480 --> 03:48.180]  in Android and Android applications.
[03:50.020 --> 03:52.040]  So how did I discover vulnerabilities
[03:52.040 --> 03:55.060]  in one of the applications I was looking into?
[03:55.700 --> 03:59.340]  So this specific application had around 1.5 million
[03:59.340 --> 04:01.240]  of downloads on the App Store
[04:02.060 --> 04:04.480]  with a great amount of reputation.
[04:05.240 --> 04:08.660]  They had been providing premium services to their customers,
[04:08.660 --> 04:10.000]  to their premium customers.
[04:10.000 --> 04:14.620]  So let's say you need to modify the notification,
[04:14.620 --> 04:16.980]  the time of the notification,
[04:16.980 --> 04:21.220]  and customize the notification for the premium users
[04:22.160 --> 04:24.940]  for if you are one of them,
[04:24.940 --> 04:27.140]  that would be very easy for you.
[04:28.060 --> 04:29.980]  If you want to send greeting cards
[04:29.980 --> 04:36.960]  or cards with subject to a specific occasion,
[04:36.960 --> 04:38.620]  you could have easily do that
[04:38.620 --> 04:41.300]  by going to the specific function
[04:42.080 --> 04:44.620]  and generating a specific greeting card
[04:44.620 --> 04:46.820]  or the occasion card
[04:47.240 --> 04:50.160]  and write down whatever stuff you want to.
[04:53.020 --> 04:58.210]  So while looking into the application
[04:58.530 --> 05:01.130]  through a technical perspective,
[05:01.130 --> 05:03.890]  I found the application was using Firebase
[05:03.890 --> 05:05.670]  for the data storage.
[05:06.310 --> 05:09.730]  And they were using Google Cloud Platform
[05:09.730 --> 05:13.050]  for their dynamic stuff,
[05:13.050 --> 05:16.590]  or let's say the stuff they wanted to host.
[05:17.510 --> 05:21.190]  And as well as the Google Identity Toolkit,
[05:21.190 --> 05:23.070]  let's say if you are a user,
[05:23.070 --> 05:26.110]  you want to register on this platform,
[05:26.110 --> 05:29.930]  all of the identity and access management
[05:29.930 --> 05:33.430]  were handled by the relying party,
[05:33.430 --> 05:36.970]  which is also known as Google Identity Toolkit.
[05:36.970 --> 05:40.730]  So this area had really fascinated me
[05:40.730 --> 05:44.570]  and I decided to look more into this perspective.
[05:45.390 --> 05:49.390]  So when I went into the Google Identity Toolkit,
[05:49.390 --> 05:51.150]  there were a lot of functions
[05:51.810 --> 05:54.710]  that were visible in their documentation.
[05:54.710 --> 05:58.050]  I went to their whole documentation one by one
[05:58.050 --> 06:02.810]  and tried every function on this application
[06:03.280 --> 06:07.930]  and tried to find out which of the functions
[06:07.930 --> 06:10.450]  are enabled by this application
[06:10.450 --> 06:12.710]  and which of them are disabled.
[06:13.540 --> 06:17.190]  So one of the function which says get account info
[06:17.880 --> 06:19.690]  was really fascinating for me
[06:19.690 --> 06:21.510]  and really interesting for me.
[06:21.510 --> 06:25.930]  So let's say I wanted to find details for an account
[06:25.930 --> 06:27.810]  if it is registered on the platform
[06:27.810 --> 06:30.930]  or if it is not registered on the platform.
[06:30.930 --> 06:35.670]  This specific function was able to return the details
[06:35.670 --> 06:39.630]  for a specific account or for a specific email address
[06:39.630 --> 06:43.330]  or for a number, if known.
[06:44.550 --> 06:49.070]  So what I did is I searched for the organization emails
[06:49.610 --> 06:52.890]  and one of them was the no reply email
[06:52.890 --> 06:54.090]  that was not registered
[06:55.170 --> 06:59.210]  and I found that to be available for the signup.
[06:59.210 --> 07:03.070]  I signed up to that email address.
[07:03.130 --> 07:06.950]  Again, it wasn't sending a verification token
[07:07.210 --> 07:08.430]  to the email address
[07:08.430 --> 07:13.090]  and allowed the users to log in directly to the application.
[07:13.110 --> 07:15.830]  So I signed up through this email address
[07:15.830 --> 07:18.430]  and I was logged in as a corporate user
[07:18.750 --> 07:23.690]  with the same privileges a corporate user would have.
[07:24.810 --> 07:28.710]  So in the second attacking scenario,
[07:28.710 --> 07:33.690]  the API, as we discussed about the API security,
[07:34.230 --> 07:38.090]  this API was actually using local ID,
[07:38.090 --> 07:42.710]  which was being, again, part of the Google Identity Toolkit.
[07:42.710 --> 07:47.350]  The API was providing the local ID along with the username.
[07:47.730 --> 07:52.550]  So what I did was I tried to replace the local ID one
[07:52.550 --> 07:57.930]  with the local ID two and the username respectively.
[07:58.290 --> 08:01.390]  And my request was submitted
[08:01.390 --> 08:06.590]  and was requested, was approved and respond.
[08:06.590 --> 08:10.770]  And I got a response to that request successfully.
[08:10.770 --> 08:14.290]  So that means I can take over an account
[08:14.290 --> 08:18.510]  or I can post anything from a specific account
[08:18.510 --> 08:21.450]  by using the local ID and the username
[08:22.040 --> 08:23.590]  if known.
[08:25.100 --> 08:27.770]  So in the third attacking scenario,
[08:27.770 --> 08:33.530]  the API, the marketing API was used by the APK.
[08:33.530 --> 08:35.910]  So while reverse engineering the APK,
[08:35.910 --> 08:39.090]  I found this specific marketing API.
[08:39.090 --> 08:42.070]  And then when I Googled that marketing API,
[08:42.070 --> 08:45.350]  I discovered the domains, the subdomains
[08:45.350 --> 08:47.470]  that application were using it.
[08:47.470 --> 08:50.490]  So that increased my attacking surface
[08:50.810 --> 08:53.150]  for against that organization
[08:53.790 --> 08:57.870]  in a more broader perspective.
[08:57.870 --> 09:01.830]  And then I was able to access one of their internal portals
[09:02.470 --> 09:07.250]  which was used for the support perspective.
[09:09.370 --> 09:11.230]  Now I had found everything
[09:11.230 --> 09:13.670]  and found all of the vulnerabilities
[09:14.170 --> 09:17.010]  in this specific application.
[09:17.010 --> 09:19.370]  It was time to disclose it responsibly
[09:19.370 --> 09:21.630]  to the organization.
[09:22.330 --> 09:25.070]  So I reached out to their platform,
[09:25.070 --> 09:26.350]  their support platform.
[09:26.350 --> 09:29.970]  Again, I knew the internal portal they were using.
[09:29.970 --> 09:33.930]  So I reached out to their customer support
[09:33.930 --> 09:37.990]  and requested them to look into the vulnerabilities,
[09:37.990 --> 09:40.410]  but I just didn't submit those vulnerabilities
[09:40.410 --> 09:41.950]  on a public platform.
[09:41.950 --> 09:44.330]  Rather asked them for the email address
[09:44.970 --> 09:47.830]  or the support platform
[09:47.830 --> 09:50.750]  where I can post these vulnerabilities
[09:51.550 --> 09:53.530]  in a very secure way.
[09:53.670 --> 09:59.150]  And then they invited me to another platform.
[09:59.270 --> 10:01.590]  I submitted all the vulnerabilities,
[10:01.590 --> 10:03.830]  all the bugs to that platform.
[10:04.210 --> 10:08.670]  I received the response from the engineering team.
[10:08.670 --> 10:10.970]  Again, that take a lot of time.
[10:11.030 --> 10:14.850]  That, I guess, took around a month.
[10:14.850 --> 10:18.930]  But again, a response, a positive response
[10:18.930 --> 10:23.790]  from such organization was really appreciating.
[10:24.830 --> 10:29.510]  So I got this email from their head of platform engineering.
[10:29.510 --> 10:32.470]  And this was an unexpected moment for me
[10:32.470 --> 10:36.930]  because I wasn't expecting any kind of monetary support
[10:37.450 --> 10:40.230]  or any kind of monetary benefit
[10:41.230 --> 10:45.530]  in response to the bugs that I submitted.
[10:45.750 --> 10:47.890]  So I was really kind enough
[10:47.890 --> 10:50.690]  to their platform engineering team
[10:50.690 --> 10:52.430]  and their head of platform engineering
[10:53.390 --> 10:55.130]  for considering the vulnerabilities
[10:55.970 --> 11:01.390]  and acknowledging my efforts.
[11:03.070 --> 11:06.110]  So what is the conclusion of all of this exercise
[11:06.110 --> 11:12.930]  or all of the effort that we had invested?
[11:13.390 --> 11:15.610]  So when you are disclosing vulnerabilities
[11:15.610 --> 11:19.450]  to an organization, you should act responsibly.
[11:19.450 --> 11:23.590]  So let's say you are disclosing vulnerability
[11:25.510 --> 11:27.870]  to an organization that doesn't have
[11:27.870 --> 11:31.250]  any vulnerability disclosing program
[11:31.250 --> 11:34.390]  or a coordinated vulnerability disclosure program.
[11:34.390 --> 11:36.430]  You look for their engineering teams,
[11:36.430 --> 11:38.330]  their development teams.
[11:38.450 --> 11:42.430]  You can approach them in a very respectful manner
[11:43.390 --> 11:47.010]  and provide as much as detail as you can.
[11:47.650 --> 11:49.630]  Also respect the privacy.
[11:49.630 --> 11:52.530]  So let's say if you found out a vulnerability
[11:53.470 --> 11:58.930]  that is around insecure direct object reference
[11:59.850 --> 12:07.470]  or that revolves around insecure ways of accessing data,
[12:07.470 --> 12:10.350]  what you can do is create two accounts for yourself
[12:10.630 --> 12:14.710]  and then you can play with your both of the accounts
[12:14.970 --> 12:19.910]  and see if any of this has any vulnerability
[12:20.410 --> 12:22.430]  or bugs in it.
[12:22.430 --> 12:25.610]  And then you can submit that by claiming
[12:25.860 --> 12:29.360]  both of the accounts being used by you.
[12:31.340 --> 12:33.690]  Again, play within the boundaries,
[12:34.280 --> 12:39.720]  as discussed earlier in my talk.
[12:40.790 --> 12:42.230]  There are certain boundaries
[12:42.230 --> 12:44.490]  and there are certain responsibilities
[12:44.490 --> 12:47.330]  that lies on the shoulder
[12:47.330 --> 12:50.530]  of the information security researcher.
[12:50.710 --> 12:55.070]  So look through these boundaries and act responsibly.
[12:55.070 --> 12:56.530]  And then again, patience
[12:56.530 --> 13:00.170]  because that's what is needed the most.
[13:06.810 --> 13:11.810]  So there have been certain vulnerability disclosure programs
[13:12.410 --> 13:14.570]  out on the internet.
[13:15.050 --> 13:19.170]  Yes, we had has a really cool plugin
[13:19.170 --> 13:22.610]  for the Google Chrome, I guess,
[13:22.610 --> 13:26.150]  and for the Mozilla Firefox, you can integrate that.
[13:26.150 --> 13:30.670]  When you are visiting a website or an application,
[13:30.670 --> 13:34.330]  you can get the details
[13:34.830 --> 13:38.050]  for the vulnerability disclosure program.
[13:38.250 --> 13:40.390]  And even though if they are not available
[13:40.390 --> 13:42.350]  on these platforms,
[13:42.350 --> 13:45.050]  you can approach them to their email address
[13:45.050 --> 13:50.230]  they have specified in their usual security.txt folder.
[13:51.330 --> 13:53.390]  There are a lot of bug bounty platforms
[13:53.710 --> 13:55.670]  which support the vulnerability disclosure
[13:55.670 --> 13:58.610]  or the coordinated vulnerability disclosure programs.
[13:58.610 --> 14:01.390]  So you can approach these platforms as well
[14:01.390 --> 14:07.170]  and submit your vulnerabilities in an efficient way.
[14:07.170 --> 14:09.770]  And then again, as I discussed,
[14:09.770 --> 14:11.990]  the development or engineering department
[14:11.990 --> 14:15.470]  because they are the one who are developing the applications
[14:15.810 --> 14:17.690]  and they know the stuff.
[14:19.570 --> 14:22.370]  With that, I would like to thank everyone.
[14:22.370 --> 14:25.250]  Again, for joining in.
[14:25.770 --> 14:30.230]  Stay safe and hack the planet more responsibly.
[14:30.590 --> 14:36.270]  I'll be available around the Discord Red Team channel.
[14:36.270 --> 14:38.930]  So if you have any questions, please drop them in
[14:38.930 --> 14:42.790]  or you have my email address and Twitter account,
[14:42.790 --> 14:43.990]  The Handler.
[14:44.030 --> 14:47.670]  So you can share your concerns or the email,
[14:47.670 --> 14:49.950]  or I mean, you can share your concerns
[14:49.950 --> 14:53.670]  and your questions over the Twitter or Discord
[14:53.670 --> 14:55.790]  or whatever medium you would like to.
[14:55.790 --> 14:57.090]  Thank you so much.
[14:57.090 --> 14:57.930]  Goodbye.
